SElinux and TCP Traceroute

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I need to run a TCP Traceroute in the browser but are getting a few SElinux alerts.



I have tried creating a policy with audit2allow, e.g ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute and semodule -i my-traceroute.pp which removes the alerts but the traceroute still does not work and returns the message:
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵".
There are no AVC alerts after I add these policies. Just that send: Permission denied↵ message sent back from the server.



I've even tried to create my own policy e.g



module traceroute 1.0;

require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;


#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;


and



checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp



But that doesn't seem to do anything.



If I set SElinux to permissive the traceroute runs without issue.



Note: I have already set capabilities to allow traceroute to run as non-root user e.g Set cap_net_raw+ep on /usr/bin/traceroute



Any ideas??



Alerts:



SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied create for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=AVC msg=audit(1551801996.735:1108250): avc: denied net_raw for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1


type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,create

-----------------------

SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied bind for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1

type=AVC msg=audit(1551801996.735:1108251): avc: denied node_bind for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1

type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind

---------------------

SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied setopt for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt

------------------

SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied connect for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect

-----------------

SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied getattr for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr

------------------

SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied getopt for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt

---------------

SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied read for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,read

----------------

SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied open for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,open










share|improve this question
























  • Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.

    – turrican_34
    Mar 5 at 19:12











  • Correction. With the audit2allow policies installed the message is: "traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"

    – turrican_34
    Mar 5 at 19:21
















0















I need to run a TCP Traceroute in the browser but are getting a few SElinux alerts.



I have tried creating a policy with audit2allow, e.g ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute and semodule -i my-traceroute.pp which removes the alerts but the traceroute still does not work and returns the message:
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵".
There are no AVC alerts after I add these policies. Just that send: Permission denied↵ message sent back from the server.



I've even tried to create my own policy e.g



module traceroute 1.0;

require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;


#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;


and



checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp



But that doesn't seem to do anything.



If I set SElinux to permissive the traceroute runs without issue.



Note: I have already set capabilities to allow traceroute to run as non-root user e.g Set cap_net_raw+ep on /usr/bin/traceroute



Any ideas??



Alerts:



SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied create for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=AVC msg=audit(1551801996.735:1108250): avc: denied net_raw for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1


type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,create

-----------------------

SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied bind for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1

type=AVC msg=audit(1551801996.735:1108251): avc: denied node_bind for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1

type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind

---------------------

SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied setopt for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt

------------------

SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied connect for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect

-----------------

SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied getattr for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr

------------------

SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied getopt for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt

---------------

SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied read for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,read

----------------

SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied open for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,open










share|improve this question
























  • Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.

    – turrican_34
    Mar 5 at 19:12











  • Correction. With the audit2allow policies installed the message is: "traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"

    – turrican_34
    Mar 5 at 19:21














0












0








0








I need to run a TCP Traceroute in the browser but are getting a few SElinux alerts.



I have tried creating a policy with audit2allow, e.g ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute and semodule -i my-traceroute.pp which removes the alerts but the traceroute still does not work and returns the message:
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵".
There are no AVC alerts after I add these policies. Just that send: Permission denied↵ message sent back from the server.



I've even tried to create my own policy e.g



module traceroute 1.0;

require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;


#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;


and



checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp



But that doesn't seem to do anything.



If I set SElinux to permissive the traceroute runs without issue.



Note: I have already set capabilities to allow traceroute to run as non-root user e.g Set cap_net_raw+ep on /usr/bin/traceroute



Any ideas??



Alerts:



SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied create for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=AVC msg=audit(1551801996.735:1108250): avc: denied net_raw for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1


type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,create

-----------------------

SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied bind for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1

type=AVC msg=audit(1551801996.735:1108251): avc: denied node_bind for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1

type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind

---------------------

SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied setopt for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt

------------------

SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied connect for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect

-----------------

SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied getattr for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr

------------------

SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied getopt for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt

---------------

SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied read for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,read

----------------

SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied open for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,open










share|improve this question
















I need to run a TCP Traceroute in the browser but are getting a few SElinux alerts.



I have tried creating a policy with audit2allow, e.g ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute and semodule -i my-traceroute.pp which removes the alerts but the traceroute still does not work and returns the message:
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵".
There are no AVC alerts after I add these policies. Just that send: Permission denied↵ message sent back from the server.



I've even tried to create my own policy e.g



module traceroute 1.0;

require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;


#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;


and



checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp



But that doesn't seem to do anything.



If I set SElinux to permissive the traceroute runs without issue.



Note: I have already set capabilities to allow traceroute to run as non-root user e.g Set cap_net_raw+ep on /usr/bin/traceroute



Any ideas??



Alerts:



SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied create for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=AVC msg=audit(1551801996.735:1108250): avc: denied net_raw for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1


type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,create

-----------------------

SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied bind for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1

type=AVC msg=audit(1551801996.735:1108251): avc: denied node_bind for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1

type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind

---------------------

SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied setopt for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt

------------------

SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied connect for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect

-----------------

SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied getattr for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr

------------------

SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied getopt for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt

---------------

SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied read for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,read

----------------

SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied open for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,open







centos security selinux






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 5 at 19:32







turrican_34

















asked Mar 5 at 18:42









turrican_34turrican_34

234




234












  • Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.

    – turrican_34
    Mar 5 at 19:12











  • Correction. With the audit2allow policies installed the message is: "traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"

    – turrican_34
    Mar 5 at 19:21


















  • Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.

    – turrican_34
    Mar 5 at 19:12











  • Correction. With the audit2allow policies installed the message is: "traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"

    – turrican_34
    Mar 5 at 19:21

















Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.

– turrican_34
Mar 5 at 19:12





Yes, The request is sent using ajax and it returns the message "socket: Permission denied↵". I'll update the OP to make this more clear.

– turrican_34
Mar 5 at 19:12













Correction. With the audit2allow policies installed the message is: "traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"

– turrican_34
Mar 5 at 19:21






Correction. With the audit2allow policies installed the message is: "traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"

– turrican_34
Mar 5 at 19:21











1 Answer
1






active

oldest

votes


















1














I've figured this out myself so I'll answer my own question.



The answer was to do both of the things I'd already tried in the OP, but use them together.
Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.



So, to get it working first use audit2allow to create a policy from the alerts.
ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute

then run
semodule -i my-traceroute.pp



Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.



Create a file called traceroute.tt and add the following to it:



module traceroute 1.0;

require
type httpd_t;
class capability net_raw;
class rawip_socket getopt create setopt write read ;


#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket getopt create setopt write read ;



Then run the following commands (as root user):



checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp


Done :)






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504562%2fselinux-and-tcp-traceroute%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    I've figured this out myself so I'll answer my own question.



    The answer was to do both of the things I'd already tried in the OP, but use them together.
    Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.



    So, to get it working first use audit2allow to create a policy from the alerts.
    ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute

    then run
    semodule -i my-traceroute.pp



    Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.



    Create a file called traceroute.tt and add the following to it:



    module traceroute 1.0;

    require
    type httpd_t;
    class capability net_raw;
    class rawip_socket getopt create setopt write read ;


    #============= httpd_t ==============
    allow httpd_t self:capability net_raw;
    allow httpd_t self:rawip_socket getopt create setopt write read ;



    Then run the following commands (as root user):



    checkmodule -M -m -o traceroute.mod traceroute.tt
    semodule_package -o traceroute.pp -m traceroute.mod
    semodule -i traceroute.pp


    Done :)






    share|improve this answer



























      1














      I've figured this out myself so I'll answer my own question.



      The answer was to do both of the things I'd already tried in the OP, but use them together.
      Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.



      So, to get it working first use audit2allow to create a policy from the alerts.
      ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute

      then run
      semodule -i my-traceroute.pp



      Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.



      Create a file called traceroute.tt and add the following to it:



      module traceroute 1.0;

      require
      type httpd_t;
      class capability net_raw;
      class rawip_socket getopt create setopt write read ;


      #============= httpd_t ==============
      allow httpd_t self:capability net_raw;
      allow httpd_t self:rawip_socket getopt create setopt write read ;



      Then run the following commands (as root user):



      checkmodule -M -m -o traceroute.mod traceroute.tt
      semodule_package -o traceroute.pp -m traceroute.mod
      semodule -i traceroute.pp


      Done :)






      share|improve this answer

























        1












        1








        1







        I've figured this out myself so I'll answer my own question.



        The answer was to do both of the things I'd already tried in the OP, but use them together.
        Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.



        So, to get it working first use audit2allow to create a policy from the alerts.
        ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute

        then run
        semodule -i my-traceroute.pp



        Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.



        Create a file called traceroute.tt and add the following to it:



        module traceroute 1.0;

        require
        type httpd_t;
        class capability net_raw;
        class rawip_socket getopt create setopt write read ;


        #============= httpd_t ==============
        allow httpd_t self:capability net_raw;
        allow httpd_t self:rawip_socket getopt create setopt write read ;



        Then run the following commands (as root user):



        checkmodule -M -m -o traceroute.mod traceroute.tt
        semodule_package -o traceroute.pp -m traceroute.mod
        semodule -i traceroute.pp


        Done :)






        share|improve this answer













        I've figured this out myself so I'll answer my own question.



        The answer was to do both of the things I'd already tried in the OP, but use them together.
        Previously I had only tried using audit2allow to create the policies and when it didn't work disabled those policies and attempted to create my own.



        So, to get it working first use audit2allow to create a policy from the alerts.
        ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute

        then run
        semodule -i my-traceroute.pp



        Then create another custom policy which basically permits the opening of raw IP sockets for non-root users, that are required for executing the traceroute command.



        Create a file called traceroute.tt and add the following to it:



        module traceroute 1.0;

        require
        type httpd_t;
        class capability net_raw;
        class rawip_socket getopt create setopt write read ;


        #============= httpd_t ==============
        allow httpd_t self:capability net_raw;
        allow httpd_t self:rawip_socket getopt create setopt write read ;



        Then run the following commands (as root user):



        checkmodule -M -m -o traceroute.mod traceroute.tt
        semodule_package -o traceroute.pp -m traceroute.mod
        semodule -i traceroute.pp


        Done :)







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 5 at 21:11









        turrican_34turrican_34

        234




        234



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504562%2fselinux-and-tcp-traceroute%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?